September 2017

September 28, 2017

Doesn't it seem like we've heard the same story before with different players? Yes, once again we have an inadvertently misaddressed e-mail going to the last place you want it to go – to a reporter with The Wall Street Journal.

Corporate Counsel carried the story, reporting that Wilmer, Cutler, Pickering, Hale and Dorr was caught up on September 27th in an e-mail error that revealed secret U.S. Securities and Exchange Commission and internal investigations at PepsiCo, after a Wilmer lawyer accidentally sent a Wall Street Journal reporter privileged documents detailing a history of whistleblower claims at the company.

The internal investigation revolves around PepsiCo's 2011 acquisition of the Russian drinks company Wimm-Bill-Dann and the departure of general counsel Maura Smith in 2012 following allegations of financial misreporting and other wrongdoing at PepsiCo. A subsequent SEC investigation into Smith's dismissal, and whether the company fired her in violation of whistleblower laws, is "at an early stage," The Wall Street Journal reported.

The reporter learned details about the years-old internal investigation started by Smith and about the more recent SEC probe, for which Smith was subpoenaed. The information included an August 31 memo about Smith's subpoena and her contact with federal investigators that was "mistakenly sent by a WilmerHale attorney to a Wall Street Journal reporter as part of communication to other attorneys working on the matter," the report said.

Wilmer's explanation and apology, sent from a spokesman, came less than three hours after the newspaper published its report. The law firm said it "inadvertently" leaked privileged information by e-mail, then asked the reporter to delete what he received. Wilmer accuses the newspaper of going back on its word to delete leaked documents.

Wilmer's statement reads like a law firm's nightmare:

"We deeply regret that privileged documents were inadvertently emailed to a reporter at The Wall Street Journal. WilmerHale takes full responsibility, and we apologize to our client. We promptly advised The Wall Street Journal of the error and asked the reporter to delete the material. The reporter told us he had deleted the material, but we later learned he had printed and retained hard copies.

We are disappointed that The Journal has decided to publish private information it knew was protected by our client's legal privilege. We are taking additional measures designed to ensure that emails are not misaddressed to unintended recipients."

For complete details of what was revealed, be sure and read the full story. Not sure if this an "auto-complete" nightmare again, but it seems probable. Always double check who you are sending e-mails to before you hit 'Enter'.

September 27, 2017

Well, if that's not a scary headline, I don't know what is. SC Mediareported that the Department of Homeland Security told 21 states on September 22nd that their election systems had been targeted by hackers representing the Russian government. The states included Oklahoma, Alabama, Colorado, Virginia, Connecticut, Washington, Iowa, Wisconsin, Maryland, Pennsylvania, Minnesota and Ohio.

The states had pressed for confirmation that their systems had indeed been targeted.

"We heard feedback from the secretaries of state that this was an important piece of information," the Washington Post quoted Bob Kolasky, acting DHS deputy undersecretary for the National Protection and Programs Directorate, as saying. "We agreed that this information would help election officials make security decisions."

Calling the delay in notification "unacceptable," Senate Select Committee on Intelligence Vice Chairman Sen. Mark R. Warner, D-Va., said in a statement that he was "relieved that DHS has acted upon our numerous requests and is finally informing the top elections officials in all 21 affected states that Russian hackers tried to breach their systems in the run up to the 2016 election."

Pledging that his committee would continue its "bipartisan investigation into what happened in 2016" and "determine what steps we need to take to stop the next attack on our democracy," Warner stressed that "All 50 states need to be proactively strengthening the security of their election systems in the face of this threat."

While DHS did not initially release the names of the states affected, the Associated Press and others have listed the states referenced above as targeted.

September 26, 2017

The Guardianreported on September 25th that "big four" accountancy firm Deloitte was victimized by a cyber attack that compromised confidential e-mails and plans of some of its blue chip clients. Deloitte provides auditing, tax consultancy and high-end cybersecurity advice to some of the world's biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies.

According to the newspaper, Deloitte clients across all of these sectors had material in the company e-mail system that was breached.

Thus far, six of Deloitte's clients have been told their information was "impacted" by the hack. Deloitte's internal review into the incident is ongoing. The hackers may have had access to data since October or November of 2016, but the hack was discovered in March of 2017.

The hacker compromised the firm's global e-mail server through an "administrator's account" that, in all likelihood, gave the hacker privileged, unrestricted "access to all areas." The account reportedly required a single password and did not have "two-step" verification.

E-mails to and from Deloitte's 244,000 staff were stored in the Azure cloud service, which was provided by Microsoft. The Guardian believes the hackers had potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information.

The breach is believed to have been focused on U.S. clients and was regarded as so sensitive that only a few of Deloitte's most senior partners and lawyers were informed.

The Guardian was told that the internal inquiry into how this happened is codenamed "Windham." It has involved specialists trying to map out exactly where the hackers went by analyzing the electronic trail of the searches that were made.

Investigators have not yet discovered whether a lone hacker, business rivals or state-sponsored hackers were responsible.

Law firm Hogan Lovells has been retained to provide "legal advice and assistance to Deloitte LLP, the Deloitte Central Entities and other Deloitte Entities" about the potential fallout from the hack.

Deloitte confirmed it had been the victim of a hack but insisted only a small number of its clients had been "impacted."

The Guardian was told an estimated 5 million e-mails were in the "cloud" and could have been accessed by the hackers. Deloitte said the number of e-mails that were at risk was a fraction of this number but refused to comment further.

Deloitte declined to say which government authorities and regulators it had informed, or when, or whether it had contacted law enforcement agencies.

While all major companies are targeted by hackers, the breach is a profound embarrassment for Deloitte, which offers clients advice on how to manage the risks posed by sophisticated cybersecurity attacks.

September 25, 2017

If you don't, I won't spoil the fun of watching the 1951 film The Day the Earth Stood Still. But if you've always loved SciFi, wondered if Skynet was coming or if The Minority Report was actually a prediction of the future we needed to worry about, then you should defer whatever you planned to do next and register for the 2017 Futures Conference of the College of Law Practice Management.

EARLY BIRD REGISTRATION CLOSES SEPTEMBER 30TH. That's a good reason to register right now. The theme of this year's conference is "Running with the Machines: Artificial Intelligence in the Practice of Law."

Take a look at the fascinating session titles and the stellar faculty – and register here.

September 21, 2017

The ABA Journalreported that, on September 11th, Nebraska issued an ethics advisory opinion allowing lawyers to accept payment in cryptocurrencies such as bitcoin. This appears to be the first such state bar ethics opinion.

The ethics opinion by the Lawyer's Advisory Committee states that a growing number of law firms in other jurisdictions accept payments in bitcoin, a currency with volatile prices. In 2013, for example, the price fluctuated from about $7 per bitcoin to $1,200 per bitcoin. Immediate conversion to dollars mitigates the risk of volatility and possible unconscionable overpayment for legal services according to the opinion.

Here are the three steps recommended by the opinion when a payment for legal fees is made in digital currency.

First, the lawyer should notify the client that the payment will be immediately converted to U.S. dollars. Second, the lawyer should make the conversion through a payment processor. Third, the lawyer should credit the client's account at the time of payment.

The opinion also says that lawyers who accept virtual currency "must be careful to see that this property they accept as payment is not contraband, does not reveal client secrets, and is not used in a money-laundering or tax avoidance scheme; because convertible virtual currencies can be associated with such mischief."

The opinion allows lawyers to hold digital currencies in trust for clients after advising that the currency won't be converted to U.S. dollars, but the currency must be held separate from the lawyer's property and must be properly safeguarded. There is no bank or FDIC insurance to reimburse a client for hacked bitcoin, so lawyers should take precautions such as encryption or use of more than one private key for access. Interesting that cybersecurity was one focus of the opinion.

Bitcoin may not be deposited into a client trust account unless converted to U.S. dollars. If the bitcoin payment is intended to serve as a retainer that will be drawn on for future fees, the lawyer must immediately convert it to U.S. dollars before depositing it into the trust account.

As soon as I learned of this opinion, I contacted Virginia State Bar Counsel Jim McCauley to request that Virginia consider issuing similar ethical guidance for lawyers wishing to accept cryptocurrencies. When John and I lecture, we are frequently asked about the ethics of accepting such payments – hopefully, we will have guidance on that issue soon!

September 20, 2017

As The New York Timesreported last week, eleven people whose phones and laptops were searched at United States airports and at the nation's northern border are suing the Department of Homeland Security. The lawsuit, filed last Wednesday by the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF), claims the plaintiffs' First and Fourth Amendment rights were violated when United States agents searched, and in some cases confiscated, their devices without a warrant. The government has said those searches happen to fewer than one-hundredth of one percent of international travelers, and that they are authorized by the same laws that allow border agents to look through suitcases without a judge's approval.

Privacy advocates do not agree. They say that those laws, drafted with luggage in mind, should not apply to digital devices that hold a large amount of personal data related to their owners and others they have contacted.

The searches, which began under the George W. Bush administration and became more common during the Obama administration, have sharply increased in the past year. According to the most recent data available, there were nearly 15,000 searches from October 2016 to March 2017, compared with 8,383 in the same period a year before.

In March, Joseph B. Maher, the acting general counsel for the Department of Homeland Security, defended the practice. "These electronic media searches have produced information used to combat terrorism, violations of export controls, and convictions for child pornography, intellectual property rights violations and visa fraud," he wrote. "This authority is critical to our mission, and Customs exercises it judiciously."

While police officers on the street cannot compel you to hand over your phone without probable cause, border agents can search and confiscate digital devices just as they can search your suitcase. Courts have long held that customs officials have an interest in enforcing immigration laws and keeping contraband out of the country.

At least one major judicial case has acknowledged that cellphones are not the same as suitcases. In a 2014 Supreme Court decision that made it harder for police to search cellphones without a warrant, Chief Justice John G. Roberts Jr. wrote that the devices contained "the privacies of life."

The policies that direct border agents are written to allow the digital searches "with or without individualized suspicion." But it's not clear what, exactly, border agents are searching through when they seize devices. That is especially true when the searches are not done in the presence of the device owners.

In June, Kevin McAleenan, the acting commissioner for Customs and Border Protection, wrote in a letter to lawmakers that agents are not permitted to look at data stored solely in the "cloud." According to the letter, agents would be limited to data stored directly on the device, including photos, text messages, call histories and contacts.

Esha Bhandari, an ACLU staff attorney, said in an interview that it was unclear whether agents would be permitted to search cloud-based apps on the phone, which would include social media accounts and email. "We don't think it changes anything with respect to the constitutional claims at issue here, which is that the government needs to get a warrant before it searches devices," said Ms. Bhandari.

The Knight First Amendment Institute at Columbia University filed Freedom of Information Act requests in March to learn how the government was using its authority, but said that so far it has received only heavily redacted reports. Jameel Jaffer, the institute's executive director, said that the searches could have a chilling effect on journalists, lawyers and doctors, who often travel with their devices and have a professional obligation to shield the identities of their sources, clients and patients and their information.

"It's hard to see how the kind of unfettered authority that border agents have been invested with can be reconciled with the limits the constitution places on government power," Mr. Jaffer said.

Of the 11 people who filed the lawsuit, 10 are American citizens and one is a permanent resident. They include journalists, students, a NASA engineer and an artist.

While the government cannot compel travelers to unlock their phones, several of the plaintiffs said they were intimidated into doing so. Four of them said their devices were confiscated; one of them, Suhaib Allababidi, a business owner from Texas, said the government kept an unlocked phone of his for two months, and hadn't returned a locked phone after more than seven months.

I am glad the ACLU and EFF are bringing this issue to the courts – for too long, these fundamental constitutional issues have not been directly addressed.

September 19, 2017

Wiredreported that, last Tuesday, Apple unveiled a new line of phones with one feature immediately falling under scrutiny: FaceID, a tool that would use facial recognition to identify individuals and unlock their phones.

So why all the anxiety? Retailers already want facial recognition to track consumers – minus legally binding terms, Apple could use FaceID to track consumer patterns at its stores, or develop similar data and sell it to others. It's also likely that police would be able to more easily unlock phones without consent by simply holding an individual's phone up to his or her face.

But the greatest threat comes from government surveillance - using mass scans to identify individuals based on face profiles. Law enforcement is rapidly increasing the use of facial recognition; one in two American adults are already enrolled in a law enforcement facial recognition network, and at least one in four police departments have the capacity to run face recognition searches. But until now, utilizing consumer platforms hasn't been an option. While Facebook has a powerful facial recognition system, it doesn't maintain the operating systems that control the cameras on phones, tablets, and laptops that look at us every day. Apple's new system changes that. For the first time, a company will have a facial recognition system with millions of profiles, and the hardware to scan and identify faces throughout the world.

This could, at least in theory, make Apple a target for a new type of mass surveillance order. The government could issue an order to Apple with a set of targets and instructions to scan iPhones, iPads, and Macs to search for specific targets based on FaceID, and then provide the government with those targets' location based on the GPS data of devices' that receive a match. Apple has a good record of fighting for user privacy, but there's only so much the company could do if its objections to an order are rejected by the courts.

Last Wednesday, Sen. Al Franken (D-Minnesota) released a letter to Apple CEO Tim Cook, asking how the company will handle the technology's security and privacy implications.

Edward Snowden's disclosures revealed the existence of Upstream, a program under FISA Section 702 (set to expire in just a few months). With Upstream, the NSA scans all internet communications going into and out of the United States for surveillance targets' e-mails, as well as IP addresses and what the agency has called cybersignatures. Last year, Reuters revealed that Yahoo, in compliance with a government order, built custom software to scan hundreds of millions of e-mail accounts for content that contained a digital signature used by surveillance targets.

Many believe these mass scans are unconstitutional and unlawful, but that has not stopped the government. Those concerns have not prevented the FISA Court from approving the government's requests, usually with the public totally unaware that mass scans continue to sift through millions of Americans' private communications.

By generating millions of face prints while simultaneously controlling the cameras that can scan and identify them, Apple might soon face a government order to turn its new unlocking system into the killer app of all time for mass surveillance.

There are steps Apple can take to prevent becoming this killer app. Face prints developed through FaceID should be stored only locally on devices, and should be fully encrypted so that the company cannot access them remotely, even if legally compelled to surreptitiously take control of an iPhone.

But remember that Apple and the FBI are still fighting over encryption. Therefore, Apple should also update its Transparency Reports to include data on whether it receives orders to turn over facial recognition profiles, or to conduct facial recognition scans, which would ring an alarm bell if it receives an order related to FaceID in the future.

And hey, talk to your representatives in Congress about applying the brakes to mass surveillance. Or, if they don't listen, send them packing.

September 18, 2017

ZDNetreported last week that the US Dept. of Homeland Security (DHS) has issued a binding operational directive to all federal agencies, ordering them to cease using Kaspersky Lab software within 90 days over concerns with the Russian-based company's ties to the Kremlin.

DHS has given federal agencies 30 days to identify Kaspersky Lab products on their networks and an order to remove and discontinue present and future use of the products in the following 60 days.

DHS said, "Kaspersky anti-virus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems."

According to DHS, there are requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky Lab and to intercept communications transiting Russian networks. "The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky Lab products to compromise federal information and information systems directly implicates US national security," the department continued.

DHS will let Kaspersky submit a written response addressing the department's concerns. Reuters reports that Kaspersky has already rejected the allegations regarding espionage.

There doesn't appear to be any credible evidence against Kaspersky thus far. While I understand the concern surrounding the use of Kaspersky, it is a pity in many ways. Kaspersky Lab produces first class software and is often the first on the block to discover and report new threats and ways to protect against them.

September 14, 2017

A Gartner forecast says that cybersecurity spending will grow 7% over last year to reach $86.4 billion in 2017. Spending is expected to grow to $93 billion in 2018.

"Rising awareness among CEOs and boards of directors about the business impact of security incidents and an evolving regulatory landscape have led to continued spending on security products and services," said Sid Deshpande, principal research analyst at Gartner.

Another assumption behind Gartner's latest information security market forecast: The EU General Data Protection Regulation (GDPR) has created renewed interest, and will drive 65 percent of data loss prevention buying decisions today through 2018. The EU General Data Protection Regulation (GDPR) has caused an overall panic and unease among organizations in Europe, but will also have a global effect since multinationals will also need to adhere to the new law.

While organizations are working toward strengthening their knowledge of the regulation, those with some form of data loss prevention (DLP) already implemented are determining what additional capabilities they need to invest in (specifically, integrated DLP such as data classification, data masking and data discovery). In addition, organizations that do not already have strong DLP in place are looking to increase their capabilities.

Gartner has a way of outlining where security companies should be allocating their efforts. I'm listening as I am sure other company executives are!

September 13, 2017

The Protenus Breach Barometer Report: Mid-Year Review states that there have been 233 reported data breaches in the healthcare industry in the first half of 2017, and 41% of them have been caused by insiders. The report adds that breaches caused by insiders, either deliberately or accidentally, are less common than hacks (53%), but they affect more patient records and can go undetected for much longer.

Protenus breaks down insiders into two categories - insider error and insider wrongdoing (also known as malicious insiders). Insider error is the result of employees or contractors not being aware of their security obligations. Examples include misplacing or not properly securing files, e-mailing confidential information to someone outside the company, or creating software with security flaws.

Such breaches can be managed by revising security policies and educating staff on handling confidential information.

Insider wrongdoing is harder to defend against, as it is caused by employees with legitimate access to the information or former employees whose access hasn't been revoked. The threat of malicious insiders can be partially mitigated by implementing privilege access rights, but this isn't foolproof as most employees will need to be able to access some information, and there's almost no way to spot a potential insider threat 100% of the time.

Protenus says that breaches caused by insider wrongdoing led to many more exposed records than insider error (743,665 versus 423,000), but occur less frequently (36 incidents versus 57 incidents).

Health care breaches constitute 30% of all U.S. data breaches, coming in second only behind the business sector.

Bottom line: In 2016, we were looking at a trend one health data breach a day. In 2017, we're expected to have more than one a day. Oh joy . . .

Sensei Enterprises, Inc.

3975 University Drive
Suite 225
Fairfax, VA 22030
703.359.0700

Disclaimer

This blog is intended to impart general information and does not offer specific legal advice. Use of this blog does not create an attorney-client relationship. If you require legal advice, consult an attorney.